And how are you going to authenticate with the second application using this approach - by faking a request to j_security_check? That doesn't exactly seem clean. Please do elaborate on "more scalable" as well.
–
ChssPly76Oct 28 '09 at 17:04

Both apps use the token from the cookie to look up the user's session in the shared database. Synchronizing state between servers isn't as scalable as stateless servers. Session state should be in the cookie and database.
–
thethinmanOct 29 '09 at 3:42

I'm not talking about session state. How are you going to authenticate your user? Who's going to set the principal, what'll happen to declarative security, etc.
–
ChssPly76Oct 29 '09 at 16:51